Gaming: Malwarebytes Says A Fake Google Account Security Page Is...
Keep up to date with the most important stories and the best deals, as picked by the PC Gamer team.
Cybersecurity provider Malwarebytes has thrown up a red flag regarding a fake Google Account security page that it says is distributing "what may be one of the most fully featured browser-based surveillance toolkits we have observed in the wild", and it's capable of infecting Windows, Apple, and Google Android devices.
In a blog post breaking down the methodology of the attack, Malwarebytes says that the infiltration begins with what appears to be a genuine Google Account security check, from a page with Google's familiar stylesheet and with an official-looking domain.
A prompt then asks to install "security software" via a Progressive Web App (PWA) as part of a four-step process, which proceeds to gradually grant the attacker access to notifications, contact lists, real-time GPS location, and the contents of the host machine's clipboard, among others.
If a victim installs the PWA and grants requested permissions to the site, simply closing the tab is not enough to prevent it from access. The page script itself runs as long as the app or tab is open, and attempts to read the clipboard, looking for "one-time passwords and cryptocurrency wallet addresses". It also attempts to intercept SMS verification codes on mobile devices, and polls the API every 30 seconds as it waits for operator commands.
However, with the app and tab closed, a separate service worker runs malicious, data-stealing tasks in the background, and even queues stolen data locally if the device goes offline, before sending its payload as soon as the connection is restored.
"Close the browser tab and the page script stops. Clipboard monitoring and SMS interception end immediately," says Malwarebytes. "But the service worker remains registered. If the victim granted notification permissions, the attacker can still wake it silently, push a new task, or trigger a data upload without reopening the app. And if the victim ever opens it again, collection resumes instantly."
The malware also operates as a WebSocket relay, which means it can act as an HTTP Proxy and be used to gain access to corporate networks, bypassing IP-based access controls and funnelling traffic through the victim's IP address. "Once connected, the attacker can route arbitrary web requests through the victim’s browser as if they were browsing from the victim’s own network", says Malwarebytes.
Keep up to date with the most
Source: PC Gamer
